[Snort-users] Barnyard2 - Phantom cid/sid?

Eoin Miller eoin.miller at ...14586...
Thu Jan 24 11:22:20 EST 2013


Anyone want to take a stab at where barnyard2 (2.1.9) manages to get sid
and cid values for a database that has been reset completely?

mysql> use snortdb;
Database changed
mysql> select * from sensor;
Empty set (0.00 sec)


Deleted the PID, waldo files, and even restarted Suricata so the
unified2 file is shiny and new as well. However, Barnyard2 just silently
failed logging to the snortdb (running Sguil output as well, but that
continued to work perfectly).

Start it up, it still thinks it has sensor id 2 and cid 3071365 even
though there is blank database. Where the heck is this stuff cached?

---SNIP---

Found pid path directive (/nids/barnyard2/pid)
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/nids/barnyard2/etc/barnyard2-eth1eth6-0.conf"
Found pid path directive (/nids/barnyard2/pid)
Log directory = /nids/barnyard2/log
Checking PID path...
PID path stat checked out ok, PID path set to /nids/barnyard2/pid
Writing PID "9618" to file "/nids/barnyard2/pid/barnyard2_eth1eth6-0.pid"
Node unique name is: nids-egress-mtc01:eth1eth6-0

database: inconsistent cid information for sid=2
          Recovering by rolling forward the cid=3071364
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = 127.0.0.1
database:           user = snort
database:  database name = snortdb
database:    sensor name = nids-egress-mtc01:eth1eth6-0
database:      sensor id = 2
database:     sensor cid = 3071365
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

WARNING: Unable to open waldo file '/nids/barnyard2/log/bond0-0.waldo'
(No such file or directory)
Waiting for new spool file
---SNIP---




More information about the Snort-users mailing list